OMB: IT systems security at highest level in three years

On the heels of another poor showing in the annual congressional cybersecurity report card, the Office of Management and Budget earlier this week touted agency systems' security as being stronger than ever.

In the fiscal 2004 Federal Information Security Management Act report sent to Congress, the administration said 77 percent of 8,623 systems were certified and accredited as safe, and agencies tested their management, operation and technical controls of 76 percent of their applications.

These are improvements from the 2003 report, where agencies reported 62 percent of 7,998 systems as secure and found 64 percent had tested their security controls.

Even with this progress, agencies still have not met OMB's goal of securing 80 percent of all systems. Last December, the administration upped the ante and required 90 percent of all systems certified and accredited by Sept. 30.

'The federal government has made significant progress in identifying and addressing its security weaknesses,' OMB said in the report. 'However, uneven implementation of security measures across the federal government leaves vulnerabilities to be corrected.'

The House Committee on Government Reform gave governmentwide cybersecurity a D grade in its annual report card released last month [see GCN story].

OMB also found agencies made progress in other security-related areas. For instance, 85 percent of agencies met OMB's goal of building security costs into the overall price of the project, and tested contingency plans for 57 percent of all applications.

The administration said agencies need to improve their agencywide plans of action and milestones to improve security weaknesses and continue to develop their certification and accreditation processes.

The departments of Defense, Health and Human Services, Homeland Security, Housing and Urban Development and the Small Business Administration did not have plans of actions and milestones approved by their respective inspectors general.

The IGs of the departments of Commerce, Defense, Education, HHS, DHS, HUD and NASA also said the certification and accreditation processes were poor.

According to OMB, agencies need to improve their accuracy, timeliness and completeness of cybersecurity incident reports filed with DHS. In 2004, agencies reported 2,058 attacks to DHS' incident response center.

'Less than full reporting hampers the government's ability to know whether an incident is isolated at one agency or is part of a larger event, e.g., the widespread propagation of an Internet worm, and thus complicates and delays appropriate response such as distributing security patches or other compensating controls,' OMB noted.

DHS is piloting software for automatic transmittal of incident data from agency systems. The application should improve the government's ability to protect systems and respond to attacks, OMB said.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.